Web Security: Cookies and Attacks

Questions and Answers

Why is filtering out malicious tags considered challenging in web security?

• Users rarely post custom HTML content.
• There are a limited number of ways to implement JavaScript.
• Filtering can lead to the complete blocking of all content.
• There are many encoding schemes and methods to invoke JavaScript. (correct)

In the context of preventing XSS attacks, what is advised for headers, cookies, and query strings?

• Automatically filter out all special characters.
• Validate all parameters against a specific set of allowed content. (correct)
• Encrypt all data before transmission.
• Only allow parameters that are unknown to the server.

What type of policy is difficult to maintain when trying to filter out malicious content?

• Whitelisting policies that allow only certain content.
• Content delivery network policies for asset management.
• Negative or attack signature based policies. (correct)
• Access control policies that limit user permissions.

What is the primary consequence of Cross Site Scripting (XSS) vulnerabilities?

They enable execution of attacker’s malicious code in the victim's browser. (C)

Which type of XSS involves a malicious code being stored in a resource managed by the web application?

Stored XSS (C)

What method can be employed to mitigate XSS vulnerabilities in web applications?

Input validation and output encoding. (B)

In the context of XSS, what does a reflected attack typically involve?

The attack script being returned as part of a webpage to the user. (D)

What technique can attackers use to steal cookies through XSS?

By opening a popup window that captures document cookies. (A)

What does the Same-Origin Policy (SOP) restrict?

Interactions between pages from different origins. (C)

What is a key characteristic of Stored XSS compared to Reflected XSS?

Stored XSS requires interaction with the server's database. (D)

Which statement accurately describes how cookies can be affected by XSS?

XSS exploits can steal cookies when they are accessed via JavaScript. (B)

What does the Same Origin Policy (SOP) allow websites to do?

Embed resources but not inspect content from other origins. (A)

Which of the following is a potential risk associated with the Same Origin Policy vulnerabilities?

Attackers can pull off attacks without needing to view the response. (C)

What must servers include in their headers to allow cross-origin requests?

Access-Control-Allow-Origin (D)

What does JavaScript run under a different origin need to do to request additional resources?

Initiate CORS to allow access to the resource. (A)

What is a key feature of Cross-Origin Resource Sharing (CORS)?

CORS enables sharing of resources if explicitly allowed by headers. (A)

How does JavaScript typically handle requests to a different origin by default?

It is blocked from accessing any data sent back by a different origin. (C)

What is primarily a characteristic of the Same Origin Policy?

It ensures that scripts can interact only with resources from their own origin. (D)

What type of attack does the vulnerability in SOP potentially facilitate?

Cross-Site Request Forgery (CSRF) (C)

Flashcards

Samy Worm

A malicious program that spreads by exploiting a vulnerability in MySpace's HTML functionality. It added the phrase "but most of all, samy is my hero" to users' profiles and sent friend requests to Samy.

MySpace Bug

It allowed users to post HTML code on their profiles, enabling attackers to inject malicious code.

Filtering Malicious Tags

The process of identifying and removing potentially harmful content from user input to prevent XSS attacks.

Validating Input

A way to protect against XSS attacks that focuses on defining what input is acceptable, instead of blocking specific attacks.

Attack Signature Based Policies

A method of protecting against XSS attacks that involves searching for specific attack patterns. However, maintaining and updating these filters is difficult.

Cross Site Scripting (XSS)

An attack where an application takes untrusted data and sends it to a web browser without proper validation or sanitization, allowing malicious code to be executed on the victim's browser.

Reflected XSS

The attacker's script code is reflected back to the user as part of a page from the victim site. The script executes on the user's browser.

Stored XSS

The attacker stores their malicious code in a resource managed by the web application, such as a database.

XSS Vulnerability

A vulnerability where an attacker can inject scripting code into pages generated by a web application. This can lead to malicious code execution on the victim's browser.

PayPal XSS Attack

An example of Reflected XSS. Attackers sent emails prompting users to visit legitimate web pages with malicious code embedded in the URL. The code then redirected victims to phishing sites to steal their credentials.

SQL Injection

A web attack that targets application's data, like database records, in order to gain unauthorized access or modify data.

Command Injection

The attacker's malicious code is executed on the application's server.

Untrusted Data

Untrusted data that an attacker can manipulate and insert into an application to exploit vulnerabilities.

Same Origin Policy

The restriction that prevents websites from directly accessing resources (like data or images) from different origins. This is done to protect user privacy and security.

DOM Same Origin Policy

The rule that forbids a website from directly accessing and manipulating content from a different origin. This is often implemented to prevent malicious websites from stealing data.

DOM SOP Vulnerabilities

A security vulnerability that allows attackers to steal data from a website even if they cannot view the response to a request. This is possible because a website might send sensitive information to the attacker's website without the user's knowledge.

Javascript Requests

A mechanism that allows websites to make new requests for additional data and resources. This is often used to load extra data from a website or a server, possibly to fetch dynamic content or user data.

Cross-Origin Resource Sharing (CORS)

This is a mechanism that allows websites to read data from a different origin by verifying that the origin is trusted and authorized. Servers can add an 'Access-Control-Allow-Origin' (ACAO) header to indicate that content from the requesting origin can be read.

Access-Control-Allow-Origin (ACAO) header

In CORS, a server's response header that signifies permission for a specified origin to read the data being sent. It is typically used to control which origins can access data from a protected resource.

Simple CORS

A CORS configuration where requests can only be made to a specific origin. It restricts the ability for any other origin to access the data or resources.

Complex CORS

A CORS configuration that enables more complex requests and is more flexible in terms of the origins that can access data.

Study Notes

Cookies and Web Attacks

• Web Same Origin Policy prevents a website from accessing resources from another website.
• A DOM origin is defined by (scheme, domain, port), e.g., (http, stanford.edu, 80).
• A website can embed resources from any origin, but the requesting site cannot access the content from another origin.

DOM SOP Vulnerabilities

• Attackers can exploit DOM SOP by requesting resources without needing to see the response.
• This enables them to extract sensitive data (e.g., bank account transfer information) without directly seeing it.

Javascript Requests

• Javascript allows making requests for additional data and resources.
• Often used to fetch data from a different domain.
• An example using jQuery is shown.

Cross-Origin Resource Sharing (CORS)

• Javascript cannot read data from a different origin by default.
• Servers can add an Access-Control-Allow-Origin header to allow access from another origin.
• For example, if app.bank.com wants to access data from api.bank.com, api.bank.com needs to include the header ACAO: app.bank.com in its response.

Simple vs. Pre-Flight Requests

• CORS performs a pre-flight check when a request would be impossible without Javascript, to see if the server allows it from the specified origin.
• A pre-flight check is required when sending JSON data.
• The OPTIONS request is used as a preliminary check.

HTTP Cookies

• HTTP Cookies are used to store data on the client-side.
• A Set-Cookie header is used to set cookies in the response from the server.
• The header contains the cookie name and value.

Cookies and Same Origin

• Cookies are sent based on the origin regardless of the requester.
• Cookie's domain is the domain suffix of the URL's domain.
• Cookie's path is a prefix of the URL path.
• Cookies that belong to the domain or parent domain AND are at the same path or parent path are in scope
• In scope cookies are sent regardless of who is making the request.
• Non-in scope cookies are restricted to a specific domain and path.

Setting Cookie Scope

• Website permissions for cookie setting are based on the parent-child relationship of the domain and path
• cs155.stanford.edu can set a cookie for stanford.edu
• website.com/ can set a cookie for website.com/something
• A child domain can access/set cookies on its parent domain
• A parent domain cannot access/set cookies on child domains

No Domain Cookies

• Cookies are scoped to the host name, instead of the domain
• Cookies are not sent to subdomains if the server does not specify the domain in the set-cookie header

Cookie Scoping

• Cookies are specific to the domain and path.
• Without a domain specified, cookies are sent only to the exact matching domain.
• If no path is defined in the Set-Cookie header, the path defaults to the current path. Otherwise, all subdirectories in path will receive the cookie.

Javascript Cookie Access

• Javascript can modify in-scope cookies in the document.cookie attribute.

SOP Policy Collisions

• Cookies set by one part of site (e.g. cs.stanford.edu/dabo) are not accessible from another part (e.g., cs.stanford.edu/zakir).

Third Party Access

• Javascript running from a different domain can access the cookies of the origin that included it.

HttpOnly Cookies

• HttpOnly cookies are not accessible by Javascript on the client-side (document.cookie).

Problem with HTTP Cookies

• Attackers can trick a user into navigating to an unauthorized website using a malicious link, even if the user is accessing this website using HTTPS, this makes cookies vulnerable to theft.

Secure Cookies

• A secure cookie is only sent to the server with a HTTPS request.

Cookie Attack

• This describes how a POST request allows the client to change the cookie
• This will be followed by a Get request which will require a cookie

Session Hijacking Attacks

• Session hijacking is capturing a user's session using methods like network sniffing or malicious Javascript.

Cross-Site Request Forgery (CSRF)

• CSRF is a web exploit where a website sends unauthorized commands as a user
• A user is tricked into submitting an unintended web request to a website.

Cookie-Based Authentication

• Cookie-based authentication isn't secure for requests with side effects.

Preventing CSRF Attacks

• To prevent CSRF attacks, add mechanisms to verify that a request is authentic, as cookies on their own do not guarantee this.
• Common methods for this include referrer validation, secret validation tokens, custom HTTP headers, and same-site cookies.

Referer Validation

• This technique uses the Referer header in the request to check where the request came from.
• If the request did not come from a trusted source this will not pass validation.

Secret Token Validation

• Servers include a unique token in forms that clients need to include in form submissions to verify the authenticity of the request.

Secret Token Generation

• The method used to create a unique token on the server-side.
  • A static token can be used within forms, but if the user accesses the server using any means outside the form, the token is potentially exposed.
  • The token can be session-specific and sent as part of the page to protect from theft due to separation of permissions

Force CORS Pre-Flight

• This forces the browser to use a pre-flight check when a request is made, alerting the server that this request needs this type of check.
• Typically, developers use headers like X-Requested-By.

SameSite Cookies

• This prevents the browser from sending the cookie along with cross-site requests.
• Strict mode disables sending cookies in any cross-site context, even when following a regular link.
• Lax mode allows cookies only in cases where a regular link is used to navigate to the requested site. However the mode blocks the same-site cookie during CSRF-prone requests

Beyond Authenticated Sessions

• CSRF attacks can be used even when the user is logged into the service.
• There are other attacks unrelated to authentication. For example, scripts that access the users router and modify sensitive settings.

SQL Injection

• SQL injection attacks occur when unsafe user data is used in SQL queries.
• Attackers can gain access and modify sensitive data, run arbitrary commands.

SQL Injection Example

• An example of how SQL injection lets attackers add unexpected commands

Non-Malicious Input

• An example of an expected query

Bad Input

• An example of an attempt to exploit the query

Malicious Input

• An example of a successful attack

No Username Needed!

• An example of an attack that does not require a username

Causing Damage

• An example of a successful attack that causes SQL server damage

MSSQL xp_cmdshell

• A Microsoft SQL server feature that allows running arbitrary system commands

Escaping Database Server

• An example of exploiting the MSSQL xp_cmdshell feature to run arbitrary commands, possibly gaining access to the system

Preventing SQL Injection

• Don't trust user input when constructing commands.
• Use parameterized SQL or ORMs.

Parameterized SQL

• Parameterized SQL separates commands from arguments, preventing attackers from injecting malicious code

Object Relational Mappers

• ORMs offer a way to interact with the database, which do not require manual SQL command construction.

Cross Site Scripting (XSS)

• An attack where malicious code is injected into a legitimate webpage
• Attacker's code is executed on user's browser, not the server.

Search Example

• An example of a search page vulnerable to XSS

Normal Request

• A demonstration of a normal search request to a webpage, without any embedded malicious content

Embedded Script

• Examples of how malicious scripts can be injected to a webpage, or a different origin.

Cookie Theft!

• An example that demonstrates how malicious content can be used to steal cookies from the user
• This may not be an XSS attack. but a malicious injection.

Types of XSS

• Reflected XSS, where the code is reflected back to the user.
• Stored XSS, where the code is stored on a server.

Reflected Example

• An example of how reflected XSS could be used.
• Attackers can trick users into websites that run malicious scripts which could run arbitrary commands

Stored XSS

• Attackers can store malicious code in a server resource that would be run by any user who accesses it

Samy Worm

• A malicious exploit that spread quickly using XSS vulnerabilities

MySpace Bug

• A vulnerability in MySpace that allowed users to run malicious scripts

Filtering Malicious Tags

• Techniques used to prevent XSS attacks

Filtering is Really Hard

• There are multiple ways of making malicious code that could be run if users do not use secure techniques
• Many XSS attacks involve escaping/encoding to circumvent filters.

Filters that Change Content

• The types of filters and escapes that could be used to prevent XSS attacks

Content Security Policies (CSP)

• Defines a whitelist of allowed resources, preventing the execution of untrusted scripts.
• Content-Security-Policy

Other Directives

• CSP provides other rules for various resources such as images, fonts, or JavaScript

Mozilla Recommended Default

• A sample CSP policy that whitelists resources from the same origin, preventing various types of attacks.

Report Mode Only

• CSP report-only mode reports violations without blocking resources.

Real-World Breaks CSP

• An example of how real world scripts could violate CSP

Similar Protection for iFrames

• HTML5 sandboxes provide enhanced protection for iframes, preventing attacks despite being on the same domain
• IFrame protections can be violated with vulnerabilities, e.g. iframes can still use various attack methods to abuse features without any further security restrictions that are not present on the main page

Description

Explore the complexities of web security with a focus on cookies and various web attacks. This quiz covers concepts like the Same Origin Policy, cross-origin resource sharing, and vulnerabilities related to DOM SOP. Test your understanding of how these elements interact to protect sensitive data on the web.